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METHOD OF TRANSMITTING INFORMATION DATA FROM A SENDER TO A RE- 
CEIVER VIA A TRANSCODER, METHOD OF TRANSCODING INFORMATION 
DATA, METHOD FOR RECEIVING TRANSCODED INFORMATION DATA, 
SENDER, TRANSCODER AND RECEIVER 

5 The invention relates to a method for transmitting data from a sender to a receiver via a 
transcoder, which means that the information data is altered and/or reduced before transmit- 
ting it to the receiver. The invention further relates to a method for transcoding the informa- 
tion data, particularly for transcoding the information data when it comprises encrypted 
confidential information data as well as non-confidential information data. The invention also 

10 relates to a method of receiving the transcoded information data at a receiver, particularly 
checking integrity of the information data and trustworthiness of the transcoder. Moreover, 
the invention relates to a sender, a transcoder and a receiver, cotnhinable to perform trans- 
mitting of information data under use of transcoding functionality. 

TECHNICAL FIELD AND BACKGROUND OF THE INVENTION 

15 Today, internet-browsing via the world- wide-web is by and large confined to stationary us- 
ers who have access to browsers running on powerful computing devices such as worksta- 
tions or PCs. Such devices are not only linked to the Internet via reasonably high-speed and 
high-bandwidth data connections* but are also equipped with powerful software and hard- 
ware for processing and rendering accessible the received muld-media data. Authors make 

20 ample use of this infrastructure by creating webpages of ever-increasing complexity, both in 
terms of the data contents itself which may incorporate a large variety of audio and graphics 
formats, and executable contents such as applets for advanced functions such as payments, 
etc. 

As users become more accustomed to relying on the web as a general-purpose information 
25 source, access to the web is becoming more desirable for users on-the-move, using devices 
such as mobile telephone handsets or small and lightweight hand-held computing devices* 
However, users of such devices face problems when trying to access the existing world- 
wide-web infrastructure: Mobile hand-held devices are connected to the Internet via an un- 
usually slow and fragile data connection. This leads to unacceptably long down-load times 
30 for inefficiendy formatted data streams. 



transcoder cannot be trusted, then the transcoding service is limited to operating on content 
with litde or no value. 

Unfortunately, incorporating transcoder functionality into the server or client is unacceptable 
except for few, highly security-sensitive applications, since it involves upgrades to server 
5 software and usually server hardware. In addition, mobile devices evolve at high rates and 
transcoder functionality is likely to evolve at a similar rate, leading to tight software replace- 
ment cycles. 

External transcoder services which may be offered as a commercial service by a hand-held- 
device manufacturer, a data network operator or an ISP, and which could be incorporated 
10 with existing proxy-servers, are clearly a more suitable and scaleable solution. Unfortunately, 
such third-party provided transcoders can rarely be viewed as trusted parties. Security must 
then be provided by applying end-to-end encryption between the server and the client, leav- 
ing the transcoder the impossible task of operating on the encrypted data stream. 

In conjunction with existing end-to-end encryption methods, known transcoders cannot be 
15 used since they require plain-text access to the entire data stream. Their actions cannot be 
verified by the clients, thus making them even less applicabJe for security-sensitive data 
transfers. 

A transcoder is e,g. described in US 5544266. In US 5729293, a device for transcoding 
coded digital signals which are representative of a sequence of images, which device com- 

20 prises a variable length decoding channel followed by a variable length encoding and decod- 
ing channel, is described. A prediction sub-assembly is connected in cascade between these 
two channels, and this sub-assembly comprises, in series, between two subtracters a picture 
memory and a circuit for motion compensation in view of displacement vectors which are 
representative of the motion of each image. Other implementations are possible, and particu- 

25 larly a scaleable one in which said prediction sub-assembly comprises at least two and more 
generally a plurality of similar encoding and decoding channels arranged in cascade and cor- 
responding to the same number of image quality levels. 

US 5745701 describes a system for interconnecting local networks via a public transmission 
network, in which equipment items of the microcomputer type, connected to a local network 
30 are capable of being connected to the public network by a router in order to communicate 
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The above explained advantage is increased, when each information data piece is assigned its 
own piece security information part and piece transcoding-type information part, such that 
the information data pieces get their own assigned profile, here at least the security- and 
transcoding-type information. Then the transcoder can individually treat the information data 
5 according to its respective profile. Interdependences between information data pieces is then 
eliminated. 

When an information data piece is assigned its own piece hashing information part, said in- 
formation data piece being preferably part of said non-confidential information data, again a 
finer granularity in security can be achieved. Since the hashing implies that the content of the 
10 respective information data is not to be altered, only a restricted transcoding functionality 
can be applied, namely only no transcoding or deletion. Therefore it proves of advantage 
that such hashing is restricted to the information data where it is in fact needed, such that a 
maximum transcoding effect can be achieved. 

The piece security information parts and piece transcoding-type information parts can be 
15 translated into labels according to a translation policy and instead of said piece security in- 
formation parts and piece transcoding-type information parts, said labels can be transmitted 
to said transcoder, whereby a policy information, explaining how to interpret said labels, is 
made available or is already available to the transcoder. The procedure reduces the informa- 
tion to be sent. This is true particularly, where a big number of piece security information 
20 parts and piece transcoding-type information parts is to be transmitted, because the saving of 
data achieved by using the shorter labels is then more and more dominating over the addi- 
tional data represented by the policy information. This method is comparable to having a 
short identifier for long to explain actions, like acronyms. The policy information then tells 
what meaning lies behind the identifier or acronym. 

25 The labels can then be combined in a security- and transcoding-type information packet 
which is completed by a signature allowing content-integrity-verification at the receiver. This 
has the advantage that the receiver can make sure if the security- and transcoding-type infor- 
mation packet has been modified or nou If the security- and transcoding- type information 
packet has not been modified, he can check, whether the received information data has been 

30 transcoded according to the rules contained in the security- and transcoding-type 



m 



The security- and transcoding-type information packet offers all information which is needed 
for the transcoder to process the arriving information data correctly. Since the security- and 
transcoding-type information is not to undergo transcoding, this security- and transcoding- 
type information packet can be completed with a signature which allows to verify at the re- 
5 ceiver if the content of the security- and transcoding-type information packet has been 
amended somewhere between sender and receiver. Fraudulent or erroneous modification of 
the security- and transcoding-type information packet can hence easily be recognized at the 
receiver, which makes the whole information data transmission more secure. 

It is an object of the invention according to claim 19 to provide a sender for transmitting 
10 data to a receiver via a transcoder which allows using a non-trusted transcoder for transcod- 
ing information data which nevertheless can comprise encrypted confidential as well as non- 
confidential information data. 

The sender with the features according to claim 19 has the advantage that although it only 
needs simple modification with respect to known senders, the advantages of transcoding can 
15 be combined with the advantages of secure transmission of security-sensitive, i.e. confiden- 
tial information data. 

A divisor means for subdividing the information data into information data pieces before en- 
crypting and transmitting is relatively easy to implement. Text syntax or image data head er 
information can be used to perform an automatic dividing. 

20 It is an object of the invention according to claim 23 to provide a transcoder for transcoding 
partly encrypted information data, according to the implied security, hence only accessing 
content of non-confidential information data. 

The transcoder with the features according to claim 23 has the advantage that it is receptive 
for information data containing encrypted and non-encrypted information data and that it can 

25 perform the optimum transcoding possible in that it does not try to access content of the en- 
crypted information data but accesses the non-confidential information data for transcoding. 
The more the transcoder can dig into the information data, the higher can be the transcoding 
efficiency due to a preciser knowledge in the transcoder, which information can be reduced 
to which extent. However, encrypted information data is not accessible to such content 

30 analysis which is as intended by the sender. The necessary information how to treat which 
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In addition, the system is flexible in that the policy regarding the transcodabiiity and security 
of individual data fields can be specified by the server. 

Furthermore, the actions performed by the transcoder can be verified to the extent that the 
transcoder has only content modified according to a stated policy. The assumption made 
5 here is that the secure fields of the content require no transcoding. 

The solution is applicable to scenarios where electronic commerce, on-line banking, or other 
security-sensitive applications are run on Tier-0 or Tier-1 clients with limited input or output 
capabilities and bandwidth-limited connections to the servers, without requiring the servers 
to install and maintain a dedicated and trusted transcoder function, or where rapid develop- 
10 raent cycles for new and improved device capabilities and therefore transcoder functions are 
expected and where independent transcoder-services are therefore preferred. 

Starting from an original information data stream which is divided into data fields, also 
called information data pieces, the herein proposed method can comprise the following 
steps: 

15 - Inserting additional tags, respectively labels, into the original data stream that mark the 
data fields in terms of their transcodabiiity, e.g. transcodable, non-transcodable, optional, 
critical, etc., and their security relevance, e.g. security-sensitive* not security-sensitive, etc., 
these labels being herein referred to as security labels or piece security information part label 
and piece transcoding-type information part labels. 

20 - Generating a policy document which defines the transcoder-allowed operations for each 
tag. This policy document or policy information hence provides for the explanation of what 
the labels mean, how they should be interpreted. This step can be left out if the policy is in- 
herently known in the transcoder. 

- Separating the security-sensitive information fields and applying end-to-end encryption on 
25 those selectively and individually, leaving the non-security-sensitive information fields 

unencrypted. 

- Generating a document summary, also referred to as security- and transcoding-type infor- 
mation packet, based on the structure of the original input stream, hence including the secu- 
rity labels and transcoding-type labels. 
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After the field decomposition is complete, the server 1 then attaches or assigns two classes 
of labels to each field f|. The first label class L s is a security label, also called piece security 
information part, which indicates whether the given field f is to be encrypted at the time of 
transmission. For example, the set of possible security labels L s could be defined as 

5 L,= { secure, non-secure } ( D 

and L s (fj)6 L a where L 4 (f.) is the security label of f s . The label L s could be extended in several 
ways such as to include, for example* levels of encryption, e.g. with short or long keys, to 
include authentication information or to include a signature* 

The second label class L t is a transcoding label, also called piece transcoding-type informa- 
10 tion part, which indicates what action the transcoder 2 may take when a content field is re- 
ceived. For example a possible set of transcoding labels L t could be defined as 

1^ = { non-transcodable, transcodable, critical, non-critical } (2) 

where the exact meaning of these labels would be defined in a translation policy associated 
with the server 1. For example one such policy may be to interpret the transcoding labels L t 
15 as follows: 

"transcodable 1 implies that the content field can be transcoded at the transcoder's discretion: 

"non-transcodabie* implies that the transcoder 2 is not to alter the content field received from 
the server 1; 

"critical 1 implies that the field must be sent to the requesting client 3 from the transcoder 2; 

20 "non-critical* implies that the transcoder 2 may delete the content field from the content for- 
warded to the requesting client 3. 

Hie server 1 may issue a policy statement pol(S) which contains the set of security and 
transcoding labels, L S (S) and L t (S) respectively, and also a clear statement as to how the la- 
bels are to be interpreted. Since the policy statement pol(S) contains no security-sensitive in- 
25 formation, it can be retrieved at any time from the server 1, and cached for later use in a 
connection to the server 1 for content retrieval. 

Here it is assumed that the translation policy has been chosen such that it follows the rales of 
the policy information 17 already known and accessible for the transcoder 2- Therefore no 
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later assignment of the labels to the corresponding information data pieces, namely in the 
transcoder 2 and the receiver 3. The labeling means or labeler can be fed with user prefer- 
ences to give the laheler an input about which information data pieces shall be encrypted 
and/or transcoded and how. So labeling can depend on some automatic system which auto- 
5 matically assigns the respective labels* e.g. following some implemented rules and/or depend 
on given rules or individual labeling preferences, given by a user or derived from a list. 
Sometimes labeling can be done by following a fixed labeling scheme and sometimes a indi- 
vidualized labeling list might be the optimum solution to tell the labeler which label value it 
has to stick to which information data piece. 

10 Herein the group of all security labels is referred to as group of piece security information 
parts, denoted with SIL, while the group of transcoding labels is referred to as group of 
piece transcoding-type information parts, denoted with TIL. With other words, each field, 
respectively information data piece, has its piece security information part, whereby all piece 
security information parts together form the security information. The security information 

15 can be split up into the group of all security labels and the corresponding translation policy 
information. Hence, for each field the piece security information part can be also split up into 
the security label and the corresponding translation policy information, short policy 
information. 

The TIL together with the corresponding policy information forms the transcoding-type in- 
20 formation 13, which in the figure is depicted in a simplified form. The SIL together with the 
corresponding policy information forms the security information 12, which in the figure is 
also depicted in a simplified form. The principle is that the transcoder 2 shall be provided 
with all information needed for performing the transcoding according to the sender's wish 
which is expressed in a form that the transcoder 2 can understand and interpret for correct 
25 execution. This means that the security information 12 and the transcoding-type information 
13 are transmitted to the transcoder 2 either in the label form which implies that the 
transcoder 2 understands the labels, either because the transcoder 2 already has the corre- 
sponding translation policy available, or is designed to understand the labels directly or is or 
has been provided with the policy information 17 by the sender 1 or by any other institution, 
30 or that in the case, a policy-label split version is not desired or realizable for whatever rea- 
son, the non-labeled security information 12 and the non-labeled transcoding-type 
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Without loss of generality it is assumed that the first j fields f„ £>„ fj are labeled as secure, 
while the remaining fields f^,, f^ v f N are labeled as non-secure. The server 1 then for- 
wards the following tuple to the transcoder 2: 

< sum(D>, sign<sum(D)), E K (d(f,)) # E K «Kfj)). d(f M ) <Kf N > > ( 7 ) 

5 where d(f s ) is the data associated with field f it and E K (d(f.)) is the encryption of the data asso- 
ciated with field f k under the encryption key K. The data of each secure field is encrypted 
individually. 

The transcoder 2 comprises decision means 4, denoted with TC, for deciding which part of 
the received partly encrypted information data 14 f 15 is to be transcoded before transmitting 
10 it to the receiver 3. 

Hereby the encrypted confidential information data 14 is only transcodable without using its 
content while the non-confidential information data 15 is transcodable, having access to its 
content. 

In principle, transcoding means that the received encrypted confidential information data 14 
15 is reduced in its size or complexity. This can be done in various levels* such as a very strong 
transcoding, resulting in an absolutely minimized version of the encrypted confidential infor- 
mation data 14 and the non-confidential information data 15 , and to the opposite a rather 
lean transcoding, reducing the encrypted confidential information data 14 and the non- 
confidential information data 15 only to some minor extent. Transcoding can comprise data 
20 compression or partial data deletion. Here, the security- and transcoding type information 
12 f 13 is read from the security- and transcoding type information packet 11 and used for 
transcoding the encrypted confidential information data 14 and the non-confidential informa- 
tion data 15 leading to transcoded encrypted confidential information data 24, denoted with 
TECD, and transcoded non-confidential information data 25, denoted with TNCD. 

25 The transcoder 2 here operates on the received data stream 14, 15 in two passes. In the first 
pass, the transcoder serializes the data by removing subfield structure from each field. For 
example, if fj is a field and ^ a subfield of f s , this serializing can be thought of as performing 
the following operation 

d(t) - < . , d(f g ), . > — -> < * < ptr >, . >, ptr: <d(f y )>. (8) 
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The structure of the original content D as it existed on the server 1 is represented in sum(D), 
which the client 3 can verify by checking the server's signature sign(sum(D» on sum(D). 
Thus the client 3 is able to determine the set of fields thai represent D f as specified by the 
server 1, Further, since the security- and transcoding type information packet sum(D) con- 
5 tains the label tuples for each field of the content D, the client 3 may verify the labeling that 
the server 1 chose for the fields of the content D. In particular, the client 3 can determine 
which fields were designated as secure by the server 1, and which were designated as 
transcodable by the server 1. 

The client 3 then checks that all fields that were specified in the security- and transcoding 
4^ 10 type information packet sum(D) as secure and critical, have not been deleted or modified by 
the transcoder 2 in the transcoded encrypted information data TCE^dCf,)), E K (d(f.)))- 
Here, at least part of this verification is provided by the encryption algorithm E which may 
include authentication information about the data that was encrypted. 

Also, the client 3 can compare the set of transcodable fields as specified in sum(D) with the 
15 received fields T(d(f j+1 > > d(f N )) to verify that the transcoding process has not deleted or 
inappropriately modified any content that could be represented at the client 3, 
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6. Method according to claim 4 or claims 4 and 5, characterized in that the piece security 
information parts and piece transcoding-type information parts are translated into labels 
(SIL, TIL) according to a translation policy, that instead of said piece security 
information parts and piece transcoding-type information parts, said labels (SIL, TIL) 
5 are transmitted to said transcoder (2), whereby a policy information (17), explaining 

how to interpret said labels (SIL, TIL), is made available or is already available to the 
transcoder (2). 

1. Method according to claim 6, characterized in that the labels (SIL. TIL) are combined 
in a security- and transcoding-type information packet (11) which is completed by a 
10 signature (10) allowing content-integrity-verification at the receiver (3). 

8. Method of transcoding in a transcoder (2) partly encrypted information data (14, 15) 
received from a sender (1) and to be transmitted to a receiver (3), whereby said partly 
encrypted information data <14, 15) comprises non-confidential information data (15) 
and encrypted confidential information data (14), and is accompanied by security 
15 information (12) and transcoding-type information (13), which is used for deciding 

which part of said partly encrypted information data (14, 15) is to be transcoded before 
transmitting it to said receiver (3), whereby said encrypted confidential information 
data (14) may only be transcoded without using its content while said non-confidential 
information data (15) may be transcoded, having access to its content 

20 9- Method acconling to claim 8, characterized in that the partly encrypted information 
data (14, 15) is received subdivided into information data pieces. 

10. Method according to claim 9, characterized in that each information data piece has 
assigned its own piece security information part and piece transcoding-type information 
part. 

25 1 1. Method according to claim 10, characterized in that the piece security information parts 
and piece transcoding-type information parts arrive in the form of labels (STL, TIL) and 
that for transcoding, a policy information (17) which is available to the transcoder (2) 
is used, which explains how to interpret said labels (SIL, TIL). 
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18. Method according to claim 17, characterized in that a content-integrity-verification of a 
security and transcoding-type information packet (11) comprising the labels (SDL, TIL) 
is performed using a signature (10) thereof. 

19. Sender (1) for transmitting information data (9) to a receiver (3) via a transcoder (2), 
which transcodes said information data (9) before transmitting it to said receiver (3), 
said information data (9) comprising confidential information data (16) and 
non-confidential information data (15), characterized in that said sender (1) comprises 
an encryptor (5) for encrypting said confidential information data (16), and that 
together with the partly encrypted information data (14, 15) to said transcoder (2), 
security information (12) and transcoding-type information (13) is sendable, being 
usable by said transcoder (2) for said transcoding, whereby said encrypted confidential 
information data (14) is transcodable without using its content while said 
non-confidential information data (15) is transcodable, having access to its content. 

20. Sender (1) according to claim 19, characterized in that it comprises divisor means (21) 
for subdividing the information data (9) into information data pieces before encrypting 
and transmitting. 

21. Sender (1) according to claim 20, characterized in that each information data piece has 
assigned its own piece security information part and piece transcoding-type information 
part and that instead of said piece security information parts and said piece 
transcoding-type information parts, to said transcoder (2), labels (SIL, TIL) arc 
transmittable, into which according to a translation policy, said piece security 
information parts and said piece transcoding-type information parts are translatable, 
whereby a policy Information (17), explaining how to interpret said labels (SIL, TIL), 
is deliverable or is already available to the transcoder (2). 

22. Sender (1) according to claim 21, characterized in that it comprises a packetizer (23) 
for combining the labels (SIL, TIL) in a security- and transcoding-type information 
packet (11) and a signature-generator (22) for completing said packet (U) by a 
signature (10), which allows content-integrity-verification at the receiver (3)* 
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26. Receiver (3) according to claim 25» characterized in that the transcoded partly 
encrypced information data (24, 25) is received subdivided into information data pieces, 
that the piece security information parts and piece transcoding-type information parts 
arrive in the form of labels (SIL, TIL) and that with the comparison means (7), under 

5 use of a policy information (17) which is available to said receiver (3) and a policy 

information interpreter (8), scud labels (SEL, TIL) are interpretable and that thereby the 
correctness of the transcoding is testable. 

27. Receiver (3) according to claim 26, characterized in that a conteat-integrity-verification 
of a security and transcoding-type information packet (11) comprising the labels (SIL, 

10 TIL) is performable with an integrity-check means (6) using a signature (10) of said 

packet (11). 




